Monday, February 08, 2010

Loading the Session from a known SessionID

There are cases when pages need to use the same session, even if they are started from different contexts. One example is when trying to open a new window from within a WebBrowser control, or maybe issues with the ReportViewer control, or even some browsers who choose to open frames and new windows on different threads, like FireFox did for me a while ago. One might even imagine a situation where two different browsers open the same site and you want to use the same session. You have a SessionID, you are on the same server, so you should be able to use the session you want!

Here is how you do it:

var sessionID=(string)Request.QueryString["SessionIdentifier"];
if (Request.Cookies["ASP.NET_SessionId"] == null
&& sessionID != null)
Request.Cookies.Add(new HttpCookie("ASP.NET_SessionId", sessionID);

This piece of code must be added in the Global.asax.cs file (create a Global.asax file for your web site if you don't have one) in the void Global_PostMapRequestHandler(object sender, EventArgs e) handler and the sessionID must be given in the URL parameter SessionIdentifier.

Unfortunately you can't do it anywhere else. I've seen attempts to abandon the session in page load or page init and then do this, but it doesn't work. Basically, this post describes a horrible hack that replaces the default cookie where ASP.Net saves the SessionID value just before it is read.

As it can be a security risk, you should also add some validation logic so that the session hijacking is done only on certain pages that are likely to be opened in different application threads.